CVE-2013-4191

zip.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly enforce access restrictions when including content in a zip archive, which allows remote attackers to obtain sensitive information by reading a generated archive.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
VendorProductVersion
ploneplone
4.3
ploneplone
4.3.1
ploneplone
4.2
ploneplone
4.2.1
ploneplone
4.2.2
ploneplone
4.2.3
ploneplone
4.2.4
ploneplone
4.2.5
ploneplone
2.1
ploneplone
2.1.1
ploneplone
2.1.2
ploneplone
2.1.3
ploneplone
2.1.4
ploneplone
2.5
ploneplone
2.5.1
ploneplone
2.5.2
ploneplone
2.5.3
ploneplone
2.5.4
ploneplone
2.5.5
ploneplone
3.0
ploneplone
3.0.1
ploneplone
3.0.2
ploneplone
3.0.3
ploneplone
3.0.4
ploneplone
3.0.5
ploneplone
3.0.6
ploneplone
3.1
ploneplone
3.1.1
ploneplone
3.1.2
ploneplone
3.1.3
ploneplone
3.1.4
ploneplone
3.1.5.1
ploneplone
3.1.6
ploneplone
3.1.7
ploneplone
3.2
ploneplone
3.2.1
ploneplone
3.2.2
ploneplone
3.2.3
ploneplone
3.3
ploneplone
3.3.1
ploneplone
3.3.2
ploneplone
3.3.3
ploneplone
3.3.4
ploneplone
3.3.5
ploneplone
4.0
ploneplone
4.0.1
ploneplone
4.0.2
ploneplone
4.0.3
ploneplone
4.0.4
ploneplone
4.0.5
ploneplone
4.0.6.1
ploneplone
4.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://plone.org/products/plone-hotfix/releases/20130618
http://plone.org/products/plone/security/advisories/20130618-announcement
http://seclists.org/oss-sec/2013/q3/261
https://bugzilla.redhat.com/show_bug.cgi?id=978453
http://plone.org/products/plone-hotfix/releases/20130618
http://plone.org/products/plone/security/advisories/20130618-announcement
http://seclists.org/oss-sec/2013/q3/261
https://bugzilla.redhat.com/show_bug.cgi?id=978453